Skip to content

Latest commit

 

History

History
 
 

Serverless phpIPAM on Cloud Run

phpIPAM is an open-source IP address management (IPAM) system that can be used to manage IP addresses in both on-premises and cloud environments. It is a powerful tool that can help businesses to automate IP address management, proactively identify and resolve IP address conflicts, and plan for future IP address needs.

This repository aims to speed up deployment of phpIPAM software on Google Cloud Platform Cloud Run serverless product. The web application can be exposed either publicly via Global Application Load Balancer or internally via Internal Application Load Balancer. More information on the architecture section.

Architecture

Serverless phpIPAM on Cloud Run

The main components that are deployed in this architecture are the following ( you can learn about them by following the hyperlinks):

  • Cloud Run: serverless PaaS offering to host containers for web-oriented applications, while offering security, scalability and easy versioning
  • Cloud SQL: Managed solution for SQL databases
  • VPC Serverless Connector: Solution to access the CloudSQL VPC from Cloud Run, using only internal IP addresses
  • Global Application Load Balancer (*): An external Application Load Balancer is a proxy-based Layer 7 load balancer that enables you to run and scale your services behind a single external IP address.
  • Cloud Armor (*): Help protect your applications and websites against denial of service and web attacks.
  • Identity Aware Proxy (*): IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
  • Regional Internal Application Load Balancer (*): A Google Cloud internal Application Load Balancer is a regional proxy-based layer 7 load balancer that enables you expose your services behind a single internal IP address.

(*) Product deployment depends on input variables

Setup

Prerequisites

Setting up the project for the deployment

This example will deploy all its resources into the project defined by the project_id variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the project_create variable, the project will be created as part of the deployment.

If project_create is left to null, the identity performing the deployment needs the owner role on the project defined by the project_id variable. Otherwise, the identity performing the deployment needs resourcemanager.projectCreator on the resource hierarchy node specified by project_create.parent and billing.user on the billing account specified by project_create.billing_account_id.

Deployment

Step 0: Cloning the repository

If you want to deploy from your Cloud Shell, click on the image below, sign in if required and when the prompt appears, click on “confirm”.

Open Cloudshell

Otherwise, in your console of choice:

git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric

Before you deploy the architecture, you will need at least the following information (for more precise configuration see the Variables section):

  • The project ID.

Step 2: Prepare the variables

Once you have the required information, head back to your cloned repository. Make sure you’re in the directory of this tutorial (where this README is in).

Configure the Terraform variables in your terraform.tfvars file. See terraform.tfvars.sample as starting point - just copy it to terraform.tfvars and edit the latter. See the variables documentation below.

Notes:

  1. If you have the domain restriction org. policy on your organization, you have to edit the cloud_run_invoker variable and give it a value that will be accepted in accordance to your policy.
  2. By default, the application will be exposed externally through Global Application Load Balancer, for restricting access to specific identities please check IAP configuration or deploy the application internally via the ILB
  3. Setting the phpipam_exposure variable to "INTERNAL" will deploy an Internal Application Load Balancer on the same VPC. This might be the preferred option for enterprises since it prevents exposing the application publicly still allowing internal access through private network (via either VPN and/or Interconnect)

Step 3: Deploy resources

Initialize your Terraform environment and deploy the resources:

terraform init
terraform apply

Step 4: Use the created resources

Upon completion, you will see the output with the values for the Cloud Run service and the user and password to access the application. You can also view it later with:

terraform output
# or for the concrete variable:
terraform output cloud_run_service

Please be aware that the password created in the script is not yet configured in the application, you will be prompted to insert that during phpIPAM installation process at first login. To access the newly deployed application follow these instructions:

  1. Get the default phpIPAM url from the terraform output in the form {IP_ADDRESS}.nip.io
  2. Open your browser at that URL and you will see your phpIPAM installation page like the following one:

phpIPAM Installation page

  1. Click on "New phpipam installation". On the next page click "Automatic database installation", you will be prompted to the following form:

phpIPAM DB install

  1. Insert "admin" as the MySQL username and the password available on the terraform output of this command below (without quotes). Untick the "Create new database" otherwise you'll get an error during installation, leave all the other values as default and then click on " Install phpipam database"
terraform output cloudsql_password
  1. After some time a "Database installed successfully!" message should pop up. Then click "continue" and you'll be prompted to the last form for configuring admin credentials:

phpIPAM Admin setup

  1. Insert the phpipam password available in the output of the following command and choose a site title. Then insert the site url and click "Save settings". "A Settings updated, installation complete!" message should pop up and clicking "Proceed to login." will redirect you to the login page. Be aware this is just a convenient way to have a backup admin password in terraform, you could use whatever password you prefer.
terraform output phpipam_password
  1. Insert "admin" as username and the password configured on the previous step and after login you'll finally get to the phpIPAM homepage.

phpIPAM Homepage

Cleaning up your environment

The easiest way to remove all the deployed resources is to run the following command in Cloud Shell:

terraform destroy

The above command will delete the associated resources so there will be no billable charges made afterwards.

Variables

name description type required default
prefix Prefix used for resource names. string
project_id Project id, references existing project if project_create is null. string
admin_principals Users, groups and/or service accounts that are assigned roles, in IAM format (group:[email protected]). list(string) []
cloud_run_invoker IAM member authorized to access the end-point (for example, 'user:YOUR_IAM_USER' for only you or 'allUsers' for everyone). string "allUsers"
cloudsql_password CloudSQL password (will be randomly generated by default). string null
connector Existing VPC serverless connector to use if not creating a new one. string null
create_connector Should a VPC serverless connector be created or not. bool true
custom_domain Cloud Run service custom domain for GLB. string null
iap Identity-Aware Proxy for Cloud Run in the LB. object({…}) {}
ip_ranges CIDR blocks: VPC serverless connector, Private Service Access(PSA) for CloudSQL, CloudSQL VPC. object({…}) {…}
phpipam_config PHPIpam configuration. object({…}) {…}
phpipam_exposure Whether to expose the application publicly via GLB or internally via ILB, default GLB. string "EXTERNAL"
phpipam_password Password for the phpipam user (will be randomly generated by default). string null
project_create Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. object({…}) null
region Region for the created resources. string "europe-west4"
security_policy Security policy (Cloud Armor) to enforce in the LB. object({…}) {}
vpc_config VPC Network and subnetwork self links for internal LB setup. object({…}) null

Outputs

name description sensitive
cloud_run_service CloudRun service URL.
cloudsql_password CloudSQL password.
phpipam_ip_address PHPIPAM IP Address either external or internal according to app exposure.
phpipam_password PHPIPAM user password.
phpipam_url PHPIPAM website url.
phpipam_user PHPIPAM username.

Test

module "test" {
  source           = "./fabric/blueprints/third-party-solutions/phpipam"
  admin_principals = ["group:[email protected]"]
  prefix           = "test"
  project_create = {
    billing_account_id = "1234-ABCD-1234"
    parent             = "folders/1234563"
  }
  project_id = "test-prj"
}
# tftest modules=7 resources=43